ENKI: Access Control for Encrypted Query Processing

ENKI: Access Control for
Encrypted Query Processing
Isabelle Hang, Florian Kerchbaum, and Ernesto Damiani
ACM SIGMOD International Conference on Management of Data
Melbourne, Victoria, Australia, May 2015
SWIM Seminar
November 27, 2015
Mateus Cruz

Introduction Access Control Query Rewriting Proxy Re-Encryption Split Execution Experiments Summary
OUTLINE
1 Introduction
2 Access Control
3 Query Rewriting
4 Proxy Re-Encryption
5 Split Execution
6 Experiments
7 Summary

OVERVIEW
Query data encrypted using different keys
Access control enforced by encryption
Secure proxy re-encryption
Non-transitive and non-symmetric
Split query execution
Less computation on the client
37% performance overhead
1 / 33

REVIEW: CRYPTDB
SQL queries over encrypted data
Proxy controls access
Limitations
Column-level as minimum granularity
Onions of encryption
– Decreasing security
– Storage overhead
2 / 33

ARCHITECTURE
Threat model
Passive attacker
Attacks on clients are out of the scope
3 / 33

ACCESS CONTROL MATRIX
Rows correspond to subjects (S = |n|)
Columns correspond to objects (O)
Values 1 represent granted rights
Read, update or delete
No support for different rights
E.g.: Read-only
Example
User t1 t2 t3 t4 t5
Alice 0 1 1 1 1
Bob 1 1 0 1 0
4 / 33

QUALIFIED SET (QSi )
Set of subjects with access to an object
Column of an access control matrix
Never empty
Example
User t1 t2 t3 t4 t5
Alice 0 1 1 1 1
Bob 1 1 0 1 0
QSt4
= {1, 1}
So, Alice and Bob
have access to t4.
5 / 33

USER GROUPS (pi )
pi ∈ P∗
(S)
P∗
(S): power set of all subjects S (without ∅)
Example
p1 = {Alice} := A
p2 = {Bob} := B
p3 = {Alice, Bob} := AB
6 / 33

USER GROUP MAPPING
User group mapping
Assigns users to the groups they participate in
Example
User User Group
Alice A
Alice AB
Bob B
Bob AB
7 / 33

OBJECT SET (O(pi))
Objects accessible by the same user group
O(pi) forms a partition over O
O(pi) = {o|o ∈ O ∧ QSo = pi}
Example
User t1 t2 t3 t4 t5
Alice 0 1 1 1 1
Bob 1 1 0 1 0
p1 = {Alice}
p2 = {Bob}
p3 = {Alice, Bob}
O(p1) = {t3, t5}
O(p2) = {t1}
O(p3) = {t2, t4}
8 / 33

VIRTUAL RELATION
Relation corresponding to one object set
One user group can access all of its tuples
Virtual relation mapping
Example
User Group Relation Virtual Relation
A R RA
B R RB
AB R RAB
9 / 33

VIRTUAL RELATION
Relation corresponding to one object set
One user group can access all of its tuples
Virtual relation mapping
Speciﬁed and maintained
by the data owner
Example
User Group Relation Virtual Relation
A R RA
B R RB
AB R RAB
9 / 33

ENCRYPTION OF RELATIONS
The data owner splits R
Virtual relations: RA, RB, RAB
Same schema as R
The data owner generates encryption keys
One key per group
Distributed to group member
Example
Generate key r a for group A and encrypt RA:
κr a(Ra) = {κr a(t)|t ∈ RA}
10 / 33

ENCRYPTION OF RELATIONS
The data owner splits R
Virtual relations: RA, RB, RAB
Same schema as R
The data owner generates encryption keys
One key per group
Distributed to group member
The number of keys for each user
depends on the number of groups
she participates
Example
Generate key r a for group A and encrypt RA:
κr a(Ra) = {κr a(t)|t ∈ RA}
10 / 33

QUERY REWRITING
Queries over more than one virtual relation
Performed by the ENKI Query Adapter
11 / 33

REWRITING STRATEGIES
Selection
Projection
Rename
Count
Set union
Cartesian product
12 / 33

SELECTION: σαθβ(R)
Predicate θ (=, <, ≤, >, ≥)
α, β (E.g.: attributes, constants)
Encrypt αθβ for both virtual relations:
κr a(α)θκr a(β) (for key r a)
κr ab(α)θκr ab(β) (for key r ab)
Example
(σαθβ(R), Alice) = σκr a(α)θκr a(β)(κr a(RA))∧
σκr ab(α)θκr ab(β)(κr ab(RAB))
= {κr a(t)|t ∈ RA ∧ κr a(α)θκr a(β)}∪
{κr ab(t)|t ∈ RAB ∧ κr ab(α)θκr ab(β)}
13 / 33

CARTESIAN PRODUCT: R × S
Tuple from R: r
Tuple from S: s
Example
(R × S, Alice) = {κr a(r)κs a(s)∨
κr a(r)κs ab(s)∨
κr ab(r)κs a(s)∨
κr ab(r)κs ab(s)
|r ∈ (RA ∨ RAB) ∧ s ∈ (SA ∨ SAB)}
14 / 33

OTHER OPERATIONS
Also support update, delete or insert
Support queries to modify the schema
Must modify schemas of virtual relations
15 / 33

PROXY RE-ENCRYPTION
Virtual relations encrypted with different keys
Cannot perform comparison
– Count distinctf, equi-join, set difference
Proxy re-encryption
Change keys without revealing plaintexts
Allow comparison
Deﬁnition
Proxy re-encryption of attribute Ai:
χy (κz(Ai)) := {χy(κz(tik))|tik ∈ Ai for all k = 1, ..., j}
= {κy(tik)|tik ∈ Ai for all k = 1, ..., j}
= κy (Ai)
16 / 33

PROPERTIES
Symmetry
χb(κa(Ai)) = κb(Ai) ↔ χa(κb(Ai)) = κa(Ai)
Transitivity
χb(κa(Ai)) = κb(Ai) ∧ χc(κb(Ai)) = κc(Ai) →
χc(κa(Ai)) = κc(Ai)
17 / 33

PROBLEM
Example
Alice has key r a, Bob has key r b, both have
key r ab.
Suppose a comparison between RA and RAB.
Proxy re-encryption of keys r a and r ab to r c:
r a ∼ r c and r ab ∼ r c.
Symmetry and transitivity allow:
r a ∼ r c ∼ r ab.
So Bob can access Alice’s data.
18 / 33

ALGORITHMS
Parameter generation
Key generation
Encryption
Token
Input: Two keys ki and kj
Output: Token to proxy re-encrypt ki to kj:
T = Token(ki, kj)
Proxy re-encryption
Input: Ciphertext C and token T
Output: Ciphertext C = Pre(C, T)
19 / 33

TEMPORARY RE-ENCRYPTION
A ciphertext can be re-encrypted only once
Persisting re-encryption restricts usability
Temporary re-encryption
Base values: values initially encrypted
DetPre values: temporary re-encrypted values
Concatenate DetPre to Base
Delete DetPre after the user logs out
20 / 33

EXECUTING EQUI-JOINS
Execute join on the virtual relations
Encrypted with different keys
Re-encrypt with a shared key
Also encrypt the join condition
Example
(R Ai =Bi
S, Alice) = {κc(r)κc(s)|
r ∈ (RA ∨ RAB)∧
s ∈ (SA ∨ SAB)∧
κc(ri)θκc(sj)}
21 / 33

EXECUTING AGGREGATE FUNCTIONS
Aggregate functions over virtual relations
Encrypted with different keys
Proxy re-encryption could be used
Depends on the encryption scheme used
Example
For SUM, the Paillier cryptosystem can be used.
Problem: Creation of a secure proxy
re-encryption for the Paillier cryptosystem.
Either hard to construct or expensive.
22 / 33

CLIENT-SERVER SPLIT EXECUTION
Compute partial results on the server
Results for each virtual relation
Generate ﬁnal result on the client
Decrypt partial results
Compute FAgg for the ﬁnal results
23 / 33

SUPPORTED AGGREGATIONS
Maximum
Minimum
Sum
Average
Sort
24 / 33

MAXIMUM
Example
On the server, compute:
Res(RA) = Max(RA)
Res(RAB) = Max(RAB)
On the client, compute:
FMax = Max(Max(RA), Max(RAB))
25 / 33

ENVIRONMENT
SAP HANA database
Extended with UDFs
Server
8-core 2.6GHz 252GB RAM
Client
2-core 2.8GHz 16GB RAM
Proxy re-encryption implementation
C language
pbc and gmp libraries
26 / 33

DATASETS
TCP-C benchmark
IS-H: Healthcare management
LSM: Resources planning
SFIN: Simpliﬁed ﬁnances for SAP ERP
Dataset # Tables # Columns
TCP-C 9 92
IS-H 7 477
LSM 25 173
SFIN 9 741
27 / 33

MULTI USER MODE OVERHEAD
Overhead of multi user mode: 37%
28 / 33

IMPACT OF QUERY REWRITING
29 / 33

IMPACT OF NUMBER OF USER GROUPS
30 / 33

IMPACT OF POST-PROCESSING
31 / 33

SUMMARY
ENKI
Query processing over encrypted data
Contribution
Access control
Query rewriting strategies
Secure proxy re-encryption
Split execution
Evaluation
“Modest overhead” (40%)
32 / 33

Rewriting Strategies Proxy Re-Encryption Split Execution System Execution Flow Key Management
EXTRA SLIDES

PROJECTION: πβ(R)
Relation R
R (Ai(1), ..., Ai(k)) ⊆ R(A1, ..., An)
Attribute list β
β = (Ai(1), ..., Ai(k)) ⊆ (A1, ..., An)
Example
(πβ(R), Alice) = πκr a(β)(κr a(RA))∪
πκr ab(β)(κr ab(RAB))
= κr a(RA) ∪ κr ab(RAB)

RENAME: ρQ←Ai
(R)
Rename ρ of an attribute Ai ∈ R to Q
Encrypt the new attribute name
Use keys of virtual relations
Rename is not persisted
Example
(ρQ←Ai
(R), Alice) = ρκr a(Q)←κr a(Ai )(κr a(RA))∪
ρκr ab(Q)←κr ab(Ai )(κr ab(RAB))

COUNT: βγCount(Ai)(R)
Executed on server-side
Count attributes values of Ai
Sum the partial results from virtual relations
Example
(βγCount(Ai )(R), Alice) = κr a(β)γCount(κr a(Ai ))(κr a(RA))+
κr ab(β)γCount(κr ab(Ai ))(κr ab(RAB))

SET UNION: R ∪ S
Union between two relations R and S
Same set of attributes
Example
(R ∪ S, Alice) = {κr a(t)|t ∈ RA}∪
{κr ab(t)|t ∈ RAB}∪
{κs a(t)|t ∈ SA}∪
{κs ab(t)|t ∈ SAB}

ALGORITHMS
Parameter generation
Key generation
Encryption
Token
Proxy re-encryption

PARAMETER GENERATION
Receives a security parameter λ
Generate a prime number p
Generate two groups G1, G2 of order p
Generate a map e : G1 × G1 → G2
Choose a random generator G ∈ G1

KEY GENERATION
Choose a random ki ∈ Zp

ENCRYPTION
Receives a plaintext m with key ki
Generates a ciphertext
C = Gmki ∈ G1

TOKEN
Receive two keys ki and kj
Generate a token T for proxy re-encryption
T = G
kj
ki ∈ G1

PROXY RE-ENCRYPTION
Receives a ciphertext C encrypted with ki
Generate ciphertext C encrypted with kj
C = e(C, T)
= e(Gmki
, G
kj
ki )
= e(G, G)
mki
kj
ki
= e(G, G)mkj
= gmkj
∈ G2

EXECUTING COUNT DISTINCT
Adjust keys of virtual relations
Re-encrypt to a common key
Example
(βγCountDistinct(Ai )(R), Alice) =
κc(β)γCountDistinct(κc(Ai ))(κc(RA) ∪ κc(RAB))

EXECUTING SET DIFFERENCE
Re-encrypt to a common key
Example
(R S, Alice) = {κc(t)|
t ∈ (RA ∨ RAB)∧
t /∈ (SA ∨ SAB)}

SUM
Example
Res(RA) = Sum(RA)
Res(RAB) = Sum(RAB)
FSum = Sum(Sum(RA), Sum(RAB))

AVERAGE
Replaced by the functions sum and count
Example
Res(RA) = {Sum(RA), Count(RA)}
Res(RAB) = {Sum(RAB), Count(RAB)}
FAvg = Sum(RA)+Sum(RAB)
Count(RA)+Count(RAB)

SORT
Example
Res(RA) = Sort(RA)
Res(RAB) = Sort(RAB)
FSort = Merge sorted lists(Sort(RA), Sort(RAB))

SYSTEM SETUP
The data owner
Handles n users
Deﬁnes the user group mapping
Deﬁnes the virtual relation mapping

QUERY EXECUTION STEPS
1 Look up
2 Proxy Re-encryption
3 Query encryption
4 Query rewriting
5 Server-side execution
6 Client-side execution

LOOK UP
Checks the user group mapping
Groups the query issuer belongs to
Checks virtual relation mapping
Virtual relations used to answer the query

PROXY RE-ENCRYPTION
Queries containing
Equi-join
Set difference
Count distinct
Temporary re-encryption to shared key
Example
(R Ai =Bi
S, Alice) = {κc(r)κc(s)|
r ∈ (RA ∨ RAB)∧
s ∈ (SA ∨ SAB)∧
κc(ri)θκc(sj)}

QUERY ENCRYPTION
Encrypt attributes used in the query
Attributes accessible by the issuer
Example
(σαθβ(R), Alice) = σκr a(α)θκr a(β)(κr a(RA))∧
σκr ab(α)θκr ab(β)(κr ab(RAB))
= {κr a(t)|t ∈ RA ∧ κr a(α)θκr a(β)}∪
{κr ab(t)|t ∈ RAB ∧ κr ab(α)θκr ab(β)}

QUERY REWRITING
Modiﬁes query
Executed over virtual relations
Returns a query sQ
Executed on the server
Can return am additional query cQ
Executed on the client
Example
sQ : Sum(RA), Count(RA), Sum(RAB), Count(RAB)
cQ : FAvg = Sum(RA)+Sum(RAB)

SERVER-SIDE EXECUTION
Executes the encrypted query sQ
Returns encrypted results to the client
If necessary, also returns cQ
Example
Res(RA) = {Sum(RA), Count(RA)}
Res(RAB) = {Sum(RAB), Count(RAB)}

CLIENT-SIDE EXECUTION
Receives the encrypted results
Decrypt
Execute cQ if it exists
Example
FAvg = Sum(RA)+Sum(RAB)

DYNAMIC ACCESS CONTROL POLICIES
Objects are encrypted with different keys
Busy user groups
User groups associated with objects
Non-empty object set
Access policies might change
Granting or revoking rights
Changes busy user groups

USER HIERARCHY
User Hierarchy (U)
Given a set of users S = {s1, ..., sn}, a user
hierarchy U is a pair (P∗
(S), ) where P∗
(S) is
the powerset without the empty set of S and
is a partial order such that for all sets of users
pi, pj ∈ P∗
(S), pi pj if pj ⊆ pi for all i, j =
{1, ..., 2n−1
}.
User dynamics change the hierarchy
Adding or deleting users

ADDING USER sn+1
Case 1
The original busy group porig
i becomes not busy
The new group (pnew
i ∪ sn+1) is busy
Case 2
The original busy group porig
i stays busy
The new group (pnew
i ∪ sn+1) is also busy

ADDING USER sn+1: CASE 1
The busy group porig
i becomes non busy
The new group (pnew
i ∪ sn+1) is busy
Solution
Add the user to the object set
Share the group key with user sn+1
O(porig
i ) = O(porig
i ∪ sn+1)

ADDING USER sn+1: CASE 2
i stays busy
The new group (pnew
i ∪ sn+1) is also busy
Solution
sn+1 has access to a subset of objects of porig
i
Re-encrypt O(porig
i ∪ sn+1) with a new key
O(porig
i ) = O(pnew
i ) ∪ O(porig
i ∪ sn+1)
O(pnew
i ) ∩ O(porig
i ∪ sn+1) = ∅

REVOKING RIGHTS OF USER sn
Case 1
A user sn is revoked from all rights
Case 2
A user sn is revoked from a user group
Case 3
A user sn is revoked from certain objects

REVOKING USER sn: CASE 1
A user sn is revoked from all rights
The hierarchy changes
Solution
i ∪ sn is deleted
Objects from porig
i ∪ sn are accessible by porig
i
Re-encrypt O(porig
i ∪ sn) using the key of porig
i
O(pnew
i ) = O(porig
i ) ∪ O(porig
i )

A user sn is revoked from a user group
Does not change the hierarchy
Changes busy user groups
Solution
Busy user group porig
i ∪ sn becomes non busy
Re-encrypt O(porig
i ∪ sn) using the key of porig
i
O(pnew
i ) = O(porig
i ∪ sn) ∪ O(porig
i )

A user sn is revoked from certain objects
Solution
Busy group porig
i ∪ sn is split into two
– pnew
i ∪ sn and pnew
i
Re-encrypt O(pnew
i ) using the key of porig
i
O(porig
i ∪ sn) = O(pnew
i ∪ sn) ∪ O(pnew
i )
O(pnew
i ∪ sn) ∩ O(pnew
i ) = ∅

ENKI: Access Control for Encrypted Query Processing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to ENKI: Access Control for Encrypted Query Processing

Similar to ENKI: Access Control for Encrypted Query Processing (20)

Recently uploaded

Recently uploaded (20)

ENKI: Access Control for Encrypted Query Processing